“LTTS” (hereinafter referred to as “LTTS”, “Company”, “our”), for the purpose of this policy shall mean, L&T Technology Services Limited, all group companies, entities, subsidiaries, and affiliates.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Subject” refers to individual or natural person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, phone number, address, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.
“Applicable Data Protection Laws” means all applicable international, federal, state, provincial and local laws, rules, regulations, directives, governmental requirements and guidelines currently in force and as they become effective relating in any way to the privacy, confidentiality or security of Protected Data and regulations governing general data protection and all applicable industry standards concerning privacy, data protection, confidentiality or information security. The Company undertakes to comply with all Applicable Data Protection Laws depending on the countries where the Company is established or is Processing Personal Data and hence will be subject to the local Applicable Data Protection Laws. Although certain requirements may vary from one country to another, LTTS is particularly concerned about the privacy of Data Subjects. Hence, this Policy constitutes a global guideline for LTTS as a whole, to which the Company is committed.
This policy applies to LTTS wherever a Data Subject’s Personal Data is processed:
- In the context of the business activities of LTTS.
- Hiring or recruitment of employees, consultants, interns, trainees, etc.
- Visitor management at LTTS premises.
- During supplier, third-party, contractor, or business associate onboarding,
- For the provision or offer of goods or services to individuals and customers (including those provided or offered free-of-charge) by any LTTS entity, subsidiary, and affiliate.
- To actively monitor the behaviour of individuals which includes without limitation, using data Processing techniques such as persistent web browser cookies, dynamic IP address tracking, audio-video surveillance, cyber threat prevention, biometric monitoring, to remain vigilant in order to ensure safety and security at LTTS premises, etc.
- This policy applies to all Processing of Personal Data records in any format or structure, either electronic or physical.
This policy has been designed to establish a baseline standard for the Processing and protection of Personal Data by LTTS.
LTTS may collect and Process Personal Data only if one of the following apply:
- The nature of the business purpose necessitates collection of the Personal Data from other persons or bodies.
- The collection of Personal Data is necessary for the performance of a contract to which the Data Subject is a party.
- The collection of Personal Data shall be carried out under emergency circumstances in order to protect the vital interests of the Data Subject or to prevent serious loss or injury to another person.
- The Personal Data is sourced from public record or has been made public by the Data Subject.
- Where the Data Subject is a child, the competent person, who may be the legal guardian of the concerned child, has consented to the collection of Personal Data.
- Data Subjects have given their consent to the collection and Processing of the Personal Data.
If Personal Data is collected from someone other than the Data Subject, the Data Subject shall be informed of the collection unless one of the following apply:
- The Data Subject has received the required information by other means.
- The Personal Data shall remain confidential due to a professional secrecy obligation.
- A national law expressly provides for the collection, Processing, or transfer of the Personal Data.
- Processing is necessary to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution, and punishment of offences.
- For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated.
- To maintain the legitimate interests of the responsible party or of a third party to whom the information is transferred.
If LTTS receives unsolicited Personal Data, itwill determine within a reasonable period after receiving the Personal Data whether such collection of Personal Data meet the Data Protection principles under Applicable Data Protection Law. If not, LTTS will de-identify and/or destroy the collected Personal Data.
PURPOSES OF PROCESSING PERSONAL DATA
The following legal bases constitute the foundation on which the Company relies to carry out the Processing of Personal Data. Other legal bases may be used depending on where the Data Subject resides and the relevant Applicable Data Protection Law.
- Some Processing of Personal Data may be based on the consent of Data Subjects. The Processing of Personal Data for this purpose may involve.
- Marketing purposes, such as, sending newsletters and information about products and services offered by the Company.
- Processing for the purpose of execution of a contract or pre-contractual measures with Data Subjects. The Processing of Personal Data for this purpose may involve:
- Fulfillment of contractual obligations of LTTS towards Data Subjects.
- Complaint management.
- Processing Personal Data based on its legitimate interest, in particular in order to improve products and services, customer experience and internal processes of LTTS. The Processing of Personal Data for this purpose may involve:
- Conducting statistical/usage analysis
- Performing internal administrative functions
- Processing customer requests
- Prevent fraudulent activity and improve security
- Relationship management with Data Subjects
- Evaluation of the relevance of LTTS products and services
- LTTS may also Process Personal Data in order to respond to legal requirements based on the Applicable Data Protection Law.
RETENTION OF PERSONAL DATA
Personal Data so collected, will be deleted once the purpose of the Processing of Personal Data has been achieved. However, LTTS may retain Personal Data longer if necessary to comply with an applicable law including Applicable Data Protection Law, or if necessary to protect or exercise rights of LTTS, to the extent permitted by Applicable Data Protection Law.
At the end of the retention period, LTTS may also need to archive Personal Data, to comply with Applicable Data Protection Law, for a limited period of time and with limited access.
These retention periods may vary depending on the country where the Data Subjects reside and in accordance with Applicable Data Protection Law.
DISCLOSURE OF PERSONAL DATA
LTTS may share Personal Data, subject to consent obtained from the Data Subjects or other relevant legal basis, with the following:
- Authorized employees on a “need to know” basis.
- Other LTTS entities, group companies, subsidiaries, and affiliated companies.
- Business partners providing services on behalf of LTTS, such as, for technical support, for marketing purposes or for other types of service delivery.
- Governmental authorities and public authorities, as far as this is necessary to provide any services that have been requested or authorized, to protect customers, contractor and partners’ rights, or LTTS’s or others’ rights, property or safety, to maintain the security of the services or if LTTS is required to do so because of Applicable Data Protection Law, court or other governmental regulations, or if such disclosure is otherwise necessary in support of any legal or criminal investigation or legal proceeding
- Depending on Applicable Data Protection Law, LTTS implements contracts with some third parties to ensure that Personal Data are processed based on instructions given by LTTS and in compliance with this Policy and any other appropriate confidentiality and security measures.
TRANSFER OF PERSONAL DATA
The above-mentioned third parties such as affiliates and subsidiaries, as well as business partners, public authorities to whom LTTS may disclose Personal Data, may be located outside of a Data Subject’s country of domicile, potentially include countries whose Applicable Data Protection Laws may differ from those in the country in which Data Subjects are located.
If Personal Data is eventually transferred to third parties situated outside of a Data Subject’s country of domicile LTTS will ensure:
- The implementation of adequate procedures, to comply with Applicable Data Protection Law, and in particular, when a request for authorization from the competent supervisory authority is necessary.
- The implementation of appropriate organizational, technical, and legal safeguards to govern the said transfer and to ensure the necessary and adequate level of protection under Applicable Data Protection Law.
- For any Personal Data originating from the European Union that require transfer to a third-party outside the European Union, such transfer will only be on the basis of Standard Contractual Clauses as adopted by the European Commission.
- If necessary, LTTS will take supplementary measures such as completing a data transfer adequacy assessment if, after evaluation of the circumstances of the transfer, and after evaluation of the legislation of the third country, it is necessary for the protection of the transferred Personal Data.
- If Personal Data that doesn’t originate from the European Union/European Economic Area, and in the event Personal Data are disclosed to third parties located outside the Data Subject’s jurisdiction, the Company will ensure that appropriate safeguards are in place to protect Personal Data by implementing appropriate legal mechanisms. Those mechanisms may differ depending on the country and relevant Applicable Data Protection Law.
LTTS has implemented strict security measures, as required under Applicable Data Protection Law, in order to protect Personal Data from security incidents or accidental or unauthorized disclosure, access, loss, and more generally from a Personal Data breach. These security measures are recognized as appropriate security standards in the industry and include, inter alia, access controls, password protection, encryption, and regular security assessments.
If a Personal Data breach occurs, and in particular if there is a breach of security resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored, or otherwise processed, LTTS will take appropriate measures such as:
- Investigating and analyzing in order to determine the consequences of the Personal Data Breach and in particular whether it is likely to create a risk for the rights and freedoms of those affected.
- If the analysis shows that there is a risk to the rights and freedoms of those affected, LTTS will notify the competent authority and, in case of high risk, communicate to those affected.
- Implement as soon as possible the measures necessary to remediate and mitigate the Personal Data breach.
- Document the Personal Data breach in order to ensure its traceability.
- Appropriate measures and procedures in the event of a Personal Data breach may differ depending on the country where it occurs, the type of breach and on the Applicable Data Protection Law.
Based on Applicable Data Protection Law, Data Subjects have rights related to their Personal Data, such as the right to request access, rectification, erasure of their Personal Data, restriction of Processing, object to Processing, request data portability, to be informed and withdraw their consent for Processing of Personal Data based on their consent. Data Subjects may also object to automated individual decision-making if they are concerned by such Processing.
The exercise of such rights is not absolute and is subject to the limitations provided by Applicable Data Protection Law.
Data Subjects may have the right to lodge a complaint with the local supervisory authority or the competent regulator if they consider that the Processing of their Personal Data infringes Applicable Data Protection Law.
Data Subjects, upon successful verification of their identity, are entitled to obtain the following information about their own Personal Data:
- The purposes of the collection, Processing, use and storage of their Personal Data.
- The source(s) of the Personal Data if it was not obtained from the Data Subject.
- The categories of Personal Data stored for the Data Subject.
- The recipients or categories of recipients to whom the Personal Data has been or may be transmitted, along with the location of those recipients.
- The envisaged period of storage for the Personal Data or the rationale for determining the storage period.
- The use of any automated decision-making, including profiling.
All requests by Data Subjects must be directed to the Data Protection Office as described in the section “How to contact us” below. A response to each request shall be provided within 30 days of the receipt of the written request from the Data Subject.
The Data Subjects will not have to pay a fee to access their Personal Data (or to exercise any of the other rights). However, LTTS may charge a reasonable fee if such request for access is clearly unfounded or excessive on in circumstances where a Data Subject seeks an additional copy of already provided information. Alternatively, LTTS may refuse to comply with the request in such circumstances.
UPDATES TO THIS POLICY
The Data Protection Office is responsible for the maintenance and accuracy of this policy. If necessary, LTTS may from time to time need to update this Policy in order to reflect new or different privacy practices. In such case, updated versions of this Policy will be uploaded on this page. A revised Policy will apply only to data collected subsequent to its effective date. Any changes to this policy shall come into force when published on LTTS website.
For any questions, comments, or concerns about this Policy, or in order to exercise the privacy rights permitted by Applicable Data Protection Laws related to Personal Data, please contact our Data Protection Officer by sending an e-mail to DPO@ltts.com.